With Windows 10, we are focused on delivering a simpler, more powerful and intelligent IT experience by deepening integration across Microsoft’s products, creating a unified Microsoft 365 solution. Windows Autopilot simplifies the deployment of new Windows 10 devices in your organization by eliminating the need for IT to create, maintain and apply custom images, dramatically reducing the cost and complexity involved with custom imaging. You can now deliver new Windows 10 devices directly to your users without IT having to touch the device. With just a few simple clicks, your users can get up and running. With Windows Autopilot, the experience of deploying new Windows 10 devices is simple for end users and zero touch for IT—seamlessly integrated across Windows 10, Microsoft Intune, and Azure AD.

This post outlines the latest enhancements to Windows Autopilot in Windows 10, version 1803, specifically:

Windows Autopilot: What’s new in Windows 10, version 1803

Enrollment status

We’ve received extensive requests from customers for the ability to prevent users from accessing the desktop on a Windows 10 device until that device has been provisioned with IT-specified policies and configurations. With Windows 10, version 1803, we’ve addressed this feedback with a feature called enrollment status, which shows the status of a device’s configuration in the Windows 10 Out of Box Experience (OOBE) and gives IT the ability to hold the device in that state until all policies and configuration have been provisioned via MDM.

Figure 1. The enrollment status page.

This feature is now available as a preview with Microsoft Intune with Windows 10, version 1803. To turn on the enrollment status page, go to the Enrollment Status Page (Preview) section under Device enrollment > Windows enrollment in Microsoft Intune. Select the desired profile and click Settings to configure enrollment status page options for that profile. These options include the ability to:

Block the device in Windows 10 OOBE until all apps and profiles are installed on the device.

Choose the actions that users are allowed to perform in case of unexpected failures.

Specify how long the device should wait for enrollment status to complete before showing an error.

Specify a custom message in case of errors.

Currently, the enrollment status page can only be configured for the “All Users” group, which would apply to all devices and users in your organization. We are working on extending this capability to support additional groups in a future Microsoft Intune release.

Known issues

To take advantage of the enrollment status page, ensure that you have pre-installed Windows 10, version 1803 including the latest updates.

Certain policies (e.g. Windows Defender Application Guard) may trigger a reboot while Windows 10 is on the enrollment status page. This may cause the enrollment status to be interrupted and cause Windows Autopilot to fail. The device may prompt for built-in OOBE account (default0) credentials. This issue will be addressed in an upcoming update to Windows 10, version 1803, and we will update this blog post at that time with the details.

We’ve enabled OEMs and hardware vendors to integrate their supply chain and fulfillment systems with Windows Autopilot programmatically. This enables your hardware vendor to automatically register devices into Windows Autopilot as part of your Windows 10 device order fulfillment. With this automation, there is no action required from IT to register newly purchased Windows 10 devices into Windows Autopilot.

Lenovo and Surface have already automated their supply chain into Windows Autopilot, and we’re actively working with Dell, HP and other OEM partners to deliver this simplicity in coming months.

BitLocker updates for Windows Autopilot

With Windows 10, version 1803, we’ve made it possible for automatic BitLocker encryption to work with standard user accounts configured using Windows Autopilot. Please note, however, that automatic BitLocker encryption requires HSTI or InstantGo devices. For hardware that doesn’t support automatic BitLocker encryption, to turn on BitLocker with standard accounts using Microsoft Intune, you may find this blog post helpful.

Automatic Windows Autopilot profile assignment

Today, every time you register a new device with Windows Autopilot, you need to explicitly assign a Windows Autopilot profile to the device. Based on your feedback, we’ve integrated Azure AD groups with Windows Autopilot profile assignment through Microsoft Intune, enabling automatic assignment of a Windows Autopilot profile to Windows Autopilot registered devices. With this capability, you no longer need to manually select Windows Autopilot registered devices and assign them a profile on an ongoing basis. You can use this same Azure AD group for assignment of other Intune policies like apps and configurations, enabling complete automation for IT.

To enable the automatic assignment of the same profile to all Windows Autopilot registered devices, we tag every registered device with a tag called “ZTDID.” That means all you need to do is create an Azure AD group with a dynamic membership rule looking for the ZTDID and assign a Windows Autopilot profile to that group.

Figure 2. Creating a dynamic membership rule that looks for the ZTDID tag.

With this capability, all Windows Autopilot registered devices, regardless of when they were registered (in the past or in the future), will automatically be assigned the Windows Autopilot profile you specified. Please note: dynamic Azure AD group rules can take a few hours to process so it make take a little while for your Windows Autopilot profile assignments to show up. Alternatively, you can choose to sync on demand from the Windows Autopilot devices blade in Microsoft Intune. For more information on how to create Azure AD dynamic groups for Windows Autopilot, see Create an Autopilot device group.

In a future release, we’ll make it possible for you to specify a custom tag when you order devices from your OEM or hardware vendor to enable the creation of dynamic rules for Windows Autopilot profile assignment based on the tags you specify.

Windows Autopilot device deletion with Microsoft Intune

Based on your feedback, we’ve now made it possible to delete devices from Windows Autopilot using Microsoft Intune. If the devices are enrolled in Intune, you must first delete them from the Azure AD portal. Then, in the Windows Autopilot devices blade, simply select the devices you want to delete and choose Delete. We’re working on simplifying this experience further in a future Microsoft Intune release.

These new capabilities will revolutionize how Windows 10 devices are deployed and reset—and are available to test now with Windows 10 Insider Preview Build 17672 (and later) and the Microsoft Intune preview.

Windows Autopilot Self-Deploying mode (preview)

We want the experience of deploying a new Windows 10 device to be zero touch, not only for IT, but also for the user. With a new Windows Autopilot capability called Self-Deploying mode, a new Windows 10 device can be fully business-ready by simply powering on the device. All the user needs to do is plug in the device to a network, power it on, and watch Windows Autopilot do its magic. With Self-Deploying mode, a normal off-the-shelf Windows 10 PC transforms into an intelligent device that knows how to deploy itself. Windows 10 will join your organization’s Azure AD tenant, enroll the device into Microsoft Intune (using automatic MDM enrollment), and ensure that all policies, applications, certificates, and networking profiles are provisioned on the device (using the enrollment status page).

Windows Autopilot’s Self-Deploying mode also enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or shared productivity device. For example, if you leverage the new Kiosk Browser—an app that leverages Microsoft Edge to create a tailored and managed browsing experience—and Microsoft Intune policies to create a local automatic logon account, you can transform an off-the-shelf Windows 10 device into a browser kiosk– all that it would take is power on the device and walk away. Windows Autopilot’s Self-Deploying mode will automatically get the device joined to Azure AD, enroll into Microsoft Intune and Microsoft Intune will configure the device, deploy the app, configuration and policies, create an autologon account and transform the device into a locked down browser kiosk. No need to touch the device after power on, its as simple as that. For more information, see Simplifying kiosk management for IT with Windows 10.

With the introduction of Self-Deploying mode, we’ve made it possible for you to specify language, region, and keyboard settings for the Windows Autopilot profile. If a device has network connectivity (via an ethernet cable) when it is powered on, Windows Autopilot will automatically configure these settings without requiring any action from the end user.

Figure 4. Configuring OOBE language and keyboard settings

You can use Self-Deploying mode with a Wi-Fi network; however, the user will need to navigate through the Windows 10 OOBE until they reach the Wi-Fi connection step, at which point Self-Deploying mode will kick in. Because Self-Deploying mode doesn’t require a user to enter their organization credentials, it is important that you physically secure possession of your devices before assigning a Windows Autopilot profile, and Self-Deploying mode, to the device.

Note: Self-Deploying mode requires a device with TPM 2.0 used to authenticate the device into your organization’s Azure AD tenant.

Windows Autopilot Self-Deploying mode is available with Windows 10 Insider Preview Build 17672 and later. When configuring an Windows Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-Deploying (preview) and apply that profile to the devices you’d like to validate.

Known issues

In the current Windows 10 Insider Preview build, Self-Deploying mode requires the user to interact and click on two pages in the Windows 10 OOBE:

The user must select the “Next” button on a “Welcome” page. (This page will automatically progress in a future Windows 10 Insider Preview build.)

All Windows Autopilot scenarios (including Self-Deploying mode) require the user to interact with the Activities page in the OOBE. (This page will be skipped in all Windows Autopilot scenarios in a future Windows 10 Insider Preview build.)

Remote Windows Autopilot Reset (preview)

Resetting and repurposing Windows 10 devices is a common occurrence for many of our customers. For example, academic institutions often need to reset devices at the end of the academic year and redeploy those devices for the next group of students. With Windows Autopilot Reset, all it takes to reset and deploy a device into a fully business-ready state is click of a single button in Microsoft Intune.

You may recall that we introduced a similar capability with Windows 10, version 1709 called Windows Automatic Redeployment. Windows Automatic Redeployment required a keyboard shortcut and admin credentials to trigger a reset and redeploy a device. This scenario is still available, but with the addition of the ability to trigger the reset remotely via Microsoft Intune, we are renaming this feature Windows Autopilot Reset.

As mentioned above, Windows Autopilot Reset is available with Windows 10 Insider Preview Build 17672 and later. Windows Autopilot Reset removes personal files, apps, and settings, resetting Windows 10 while still maintaining Azure AD Join and Microsoft Intune enrollment. Enrollment status must be configured for a device to trigger Windows Autopilot Reset as this allows you to ensure that a device goes back into a fully business-ready state, updated with the latest policies, settings, and apps from Microsoft Intune.

Once either a local or remote Windows Autopilot Reset is complete, the device will automatically:

Retain the region, language, and keyboard settings as configured prior to the reset.

Connect to Wi-Fi using the network credentials provisioned to the device prior to the reset.

Apply a new provisioning package (if a provisioning package is inserted via USB when Windows Autopilot Reset is triggered), or reapply the original provisioning package cached locally on the device.

Retain Azure AD Join and Microsoft Intune enrollment.

Return to a known, good, managed and synchronized state.

Whether a device is being transferred from one user to another, or you’re trying to fix a malfunctioning device (e.g. digital signage), Windows Autopilot Reset enables you to reset and automatically redeploy Windows 10 without physically accessing a device. This makes the IT experience to reset and redeploy hundreds and thousands of devices trivially simple; it just takes the click of a button in Microsoft Intune.

To trigger a remote Windows Autopilot Reset, follow these steps:

Navigate to Devices tab in the Microsoft Intune console.

In the All devices view, select the target devices and then click More to view device actions.

Select Autopilot Reset to kick-off the reset task.

Known issue

In the current Windows 10 Insider Preview build, if you set up a kiosk device with an auto-logon local account and issue a Windows Autopilot Reset to that device, after finishing Windows Autopilot Reset, Windows 10 will prompt you to enter the password for the local auto-logon account. You can leave the password blank and select enter to logon manually. This issue will be addressed in a future Windows 10 Insider Preview build so that it will not prompt for logon if an auto-logon local account is configured.

Summary

We hope you are as excited about these new capabilities as we are. Windows Autopilot is an absolute game changer, and we will continue to make investments to simplify Windows 10 deployment and management–powered by Microsoft 365.

Please try out these new capabilities and provide feedback and suggestions via the Feedback Hub. We look forward to hearing your thoughts on new capabilities and features.

Would I be able to deploy Provisioning Packages via Intune and have it apply during Enrollment Status?My idea would be to target the provisional package based on the users role or membership [HR, Finance, IT etc..]; the (.ppkg) can apply to the users role vs targeting the hardware. In the event the endpoint is re-purpose, I can send an Intune Remote-Wipe or AutoPilot Reset. Reissue the hardware to another team member/staff, they login, the (.ppkg) applies and it will be at the desired business ready state for that specific user. Or if I decide to purchase inexpensive Windows 10 endpoints have an (.ppkg) Kiosk mode allowing specific application(s) such as Citrix Receiver restricting the user from navigating Windows as well. Forcing the end user to our RSA or MFA storefront. This way they log into their assigned workspace. If so, we would be able to use Intune and Windows 10 vs GoogleAdmin and Chrome OS for our thin client solution.

Do you also experience that the new devices(correctly registered in the Windows Enrollment) does run through the EULA, Keyboard and Cortana settings although this has been disabled. In the previous service release of Intune this was skipped as configured.

The adoption is very good fast and agileAutopilot, which occurs with the Applications of third parties that are not in the Store, how the profile is backed up, in case of theft of equipment, how it is restored and what the equipment and the user had, this type is necessary of information.Use of KioskHybrid modeAutoPilot recommendations for WAN links, Microwaves

Using Windows 1803 and 1809 seems to work great. Is there a way to automate the process of importing HWIDs for existing and new hardware? I followed the link below but I do not get the same OOBE as manually importing the csv files.